- #849: Update tests matrix. (@coorasse)
- #843: Compress duplicate rules. (@MrChoclate)
- #841: New https://cancancan.dev website. (@pandermatt)
- #839: switch from database column detection to Rails attributes detection. (@kalsan)
- #653: Add support for using an nil relation as a condition. (@ghiculescu)
- #702: Support scopes of STI classes as ability conditions. (@honigc)
- #798: Allow disabling of rules compressor via
CanCan.rules_compressor_enabled = false
. (@coorasse) - #814: Fix issue with polymorphic associations. (@WriterZephos)
- #691: Add two new subquery strategies:
joined_alias_exists_subquery
,joined_alias_each_rule_as_exists_subquery
. (@kaspernj) - #767: Improve ability checks with nested resources (hash checks)vim. (@Juleffel)
- #772: Support non-hash conditions in ability definitions. (@Juleffel)
- #773: Drop support for ruby 2.4 and 2.5. (@coorasse)
- #778: Drop support for ActiveRecord 4. (@coorasse)
- #675: Support modifying the
accessible_by
querying strategy on a per-query basis. (@ghiculescu) - #714: Don't hold unnecessary references to subjects in @rules_index. (@mtoneil)
- Added funding metadata to Gemspec. (@coorasse)
- #674: Fix accidental dependency on ActiveRecord in 3.2.0. (@ghiculescu)
- #649: Add support for Single Table Inheritance. (@Liberatys)
- #640: Simplify implementation of new model adapters. (@ghiculescu)
- #650: Support associations in rules. (@Liberatys)
- #657: Support for Rails 6.1. (@ghiculescu)
- #655: Add option for
accessible_by
querying strategy. (@ghiculescu)
- #605: Generate inner queries instead of join+distinct. (@fsateler)
- #608: Spec for json column regression. (@aleksejleonov)
- #571: Allows to check ability even the object implements
#to_a
. (@mtsmfm) - #612: Suppress keyword arguments warning for Ruby 2.7.0. (@koic)
- #569: Fix accessible_by fires query for rules using association as condition. (@albb0920)
- #594: Support translation of action name. (@ayumu838)
- #590: Fix Rule#inspect when rule is created through a SQL array. (@frostblooded)
- #592: Prevent normalization of through polymorphic associations.(@eloyesp)
Please read the guide on migrating from CanCanCan 2.x to 3.0
-
#489: Drop support for actions without a subject. (@andrew-aladev)
-
#512: Removed automatic eager loading of associations for ActiveRecord >= 5.0. (@kaspernj)
-
#575: Use the rules compressor when generating joins in accessible_by. (@coorasse)
-
#444: Allow to use symbols when defining conditions over enums. (@s-mage)
-
#538: Merge alias actions when merging abilities. (@Jcambass)
-
#462: Add support to translate the model name in messages. (@nyamadori)
-
#567: Extensively run tests on different databases (sqlite and postgres). (@coorasse)
-
#566: Avoid queries on session dumps (speed up error pages). (@coorasse)
-
#568: Automatically freeze strings in all files. (@coorasse)
-
#577: Normalise rules traversing associations to reduce the number of joins. (@coorasse)
- #528: Compress irrelevant rules before generating a query to optimize performances. (@coorasse)
- #529: Remove ruby 2.2 from Travis and add ruby 2.5.1. (@coorasse)
- #530: Predict associations names to support multiple references to the same table. (@coorasse)
- #530: Raise a specific exception when using a wrong association name in rules definition. (@coorasse)
- #482: Include conditions passed to authorize! in AccessDenied exception. (@kraflab)
- Removed support for dynamic finders. (@coorasse)
- #479: Support Rails 5.2. (@lizzyaustad)
- Use ActiveSupport standard loader. (@BookOfGreg)
- Inject cancancan in ActionController::API and ActionController::Base when they are both defined. (@arturoherrero)
- Fix compatibility with Rails 5 API. (@Eric-Guo)
- Various bugfixes on version 2.1.0. (@coorasse)
- Adds support for Rails Api applications. (@ajgon)
- Controller subclasses inherit skip_load_resource from superclass. (@jpmckinney)
- Fix instance variable not initialized warnings. (@sethcharles)
- Fix build_resource when model name is Action. (@anilmaurya)
- Smaller performance improvements. (@DNNX)
- Fix i18n lookup for unauthorized message. (@clemens)
- Drop support for Rails < 4.2. (@oliverklee)
- Drop support for ruby < 2.2. (@coorasse)
- Drop support for InheritedResource. (@coorasse)
- Drop support for Sequel. (@coorasse)
- Drop support for Mongoid. (@coorasse)
- Add ability to rspec matcher to take array of abilities. (@gingray)
- #204: Increase Performance. (@timraymond)
- Removed controller methods: skip_authorization, unauthorized!. (@coorasse)
- Removed options: nested, name, resource. (@coorasse)
- Improve performance for the Mongoid Adapter.
- Introduce rubocop and fixes most of the issues (@coorasse).
- Add support for Rails 5 (craig1410).
- Use cover for ranges.
- Add support for rails 4 enum's (markpmitchell).
- Fix #merge with empty Ability (jhawthorn).
- Significantly improve rule lookup time (amarshall).
- Removed deprecation warnings for RSpec 3.2 (NekoNova).
- Drop support for REE and Ruby 1.x and so Rails 2 (Richard Wilson).
- Add a permissions method to Ability (devaroop).
- Complete cancancan#115 - Specify authorization action for parent resources. (phallguy).
- Fix cancancan#168 - A bug with ActiveRecord 4.2 support causing ProtocolViolation due to named parameters not being passed in.
-
Fix i18n issue for Ruby < 1.9.3 (@bryanrite).
-
Fix cancancan#149 - Fix an issue loading namespaced models (darthjee).
-
Fix cancancan#160 - Support for Rails 4.2 (marshall-lee).
-
Fix cancancan#153 - More useful output in ability spec matchers (jondkinney).
- Fix cancancan#77, 78 - Fix an issue with associations for namespaced models (jjp).
- Fix cancancan#101 - Fixes an issue where overjealous use of references would cause issues with scopes when loading associations (@bryanrite).
-
Fix cancancan#59 - Parameters are automatically detected and sanitized for all actions, not just create and update (@bryanrite).
-
Fix cancancan#97, 72, 40, 39, 26 - Support Active Record 4 properly with references on nested permissions (scpike, tdg5, Crystark).
- Fix cancancan#86 - Fixes previous RSpec 3 update as there was a bug in the fix for RSpec 2.99 (@bryanrite).
- Fix cancancan#85 - Remove deprecation notices for RSpec 3 and continue backwards compatibility (andypike, bryanrite, porteta).
- Fix cancancan#75 - More specific hash-like object check. (@bryanrite).
-
Fix cancancan#67 - Sequel tests are run properly for JRuby. (@bryanrite).
-
Fix cancancan#68 - Checks for hash-like objects in subject better. (@bryanrite).
-
Feature cancan#884 - Add a Sequel model adapter (szetobo).
-
Feature cancancan#3 - Permit "can?" check multiple subjects (cefigueiredo).
-
Feature cancancan#29 - Add ability to use a String that will get instance_eval'd or a Proc that will get called as the parameter method option for strong_parameter sanitization (svoop).
-
Feature cancancan#48 - Define a CanCanCan module. Even though it is not used, it is standard practice to define the module, and helpful for determining between CanCanCan and CanCan for external libraries.
-
Fix ryanb/cancan#992 - Remove Rails 4 deprecations for scoped (thejchap & hitendrasingh).
-
Fix cancancan#16 - RSpec expectations are not explicitly required in RSpec > 2.13 (justinaiken & bryanrite).
-
Feature #988 Adds support for strong_parameters (@bryanrite).
-
Fix #726 - Allow multiple abilities with associations (elabs-dev).
-
Fix #864 - Fix id_param in shallow routes (francocatena).
-
Fix #871 - Fixes nested ability conditions (ricec).
-
Fix #935 - Reduce unnecessary object allocations (grosser).
-
Fix #966 - Fixes a variable name collision in nested conditions (knoopx).
-
Fix #971 - Does not execute "empty?" scope when checking class rule (matt-glover).
-
Fix #974 - Avoid unnecessary sql execution (inkstak).
-
Fix matches_conditons_hash for string values on 1.8 (@rrosen).
-
Work around SQL injection vulnerability in older Rails versions (@steerio) - issue #800.
-
Add support for nested join conditions (@yuszuv) - issue #806.
-
Fix load_resource "find_by" in mongoid resources (@albertobajo) - issue #705.
-
Fix namespace split behavior (@xinuc) - issue #668.
-
Fix inserting AND (NULL) to end of SQL queries (jonsgreen) - issue #687.
-
Fix merge_joins for nested association hashes (DavidMikeSimon) - issues #655, #560.
-
Raise error on recursive alias_action (fl00r) - issue #660.
-
Fix namespace controllers not loading params (andhapp) - issues #670, #664.
-
Improved support for namespaced controllers and models.
-
Pass :if and :unless options for load and authorize resource (mauriciozaffari).
-
Travis CI badge (plentz).
-
Adding Ability#merge for combining multiple abilities (rogercampos).
-
Support for multiple MetaWhere rules (andhapp).
-
Various fixes for DataMapper, Mongoid, and Inherited Resource integration.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.6.7...1.6.8].
-
Fixing nested resource problem caused by namespace addition - issue #482.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.6.6...1.6.7].
-
Correct "return cant jump across threads" error when using check_authorization (codeprimate) - issues #463, #469.
-
Fixing tests in development by specifying with_model version (kirkconnell) - issue #476.
-
Added travis.yml file for TravisCI support (bai) - issue #427.
-
Better support for namespaced models (whilefalse) - issues #424.
-
Adding :id_param option to load_and_authorize_resource (skhisma) - issue #425.
-
Make default unauthorized message translatable text (nhocki) - issue #409.
-
Improving DataMapper behavior (psanford, maxsum-corin) - issue #410, #373.
-
Allow :find_by option to be full find method name - issue #335.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.6.5...1.6.6].
-
#366: Pass action and subject through AccessDenied exception when :through isn't found.
-
Many Mongoid adapter improvements (rahearn, cardagin) - issues #363, #352, #343.
-
#360: Allow :through option to work with private controller methods.
-
#359: Ensure Mongoid::Document is defined before loading Mongoid adapter.
-
#330: Handle checking nil attributes through associations (@thatothermitch).
-
Improve scope merging - issue #328.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.6.4...1.6.5].
-
Fixed mongoid 'or' error - see issue #322.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.6.3...1.6.4].
-
Make sure ActiveRecord::Relation is defined before checking conditions against it so Rails 2 is supported again - see issue #312.
-
Return subject passed to authorize! - see issue #314.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.6.2...1.6.3].
-
Fixed instance loading when :singleton option is used - see issue #310.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.6.1...1.6.2].
-
Use Item.new instead of build_item for singleton resource so it doesn't effect database - see issue #304.
-
Made accessible_by action default to :index and parent action default to :show instead of :read - see issue #302.
-
Reverted Inherited Resources "collection" override since it doesn't seem to be working - see issue #305.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.6.0...1.6.1].
-
Added MetaWhere support - see issue #194 and #261.
-
Allow Active Record scopes in Ability conditions - see issue #257.
-
Added :if and :unless options to check_authorization - see issue #284.
-
Several Inherited Resources fixes (aq1018, tanordheim and stefanoverna).
-
Pass action name to accessible_by call when loading a collection (@amw).
-
Added :prepend option to load_and_authorize_resource to load before other filters - see issue #290.
-
Fixed spacing issue in I18n message for multi-word model names - see issue #292.
-
Load resource collection for any action which doesn't have an "id" parameter - see issue #296.
-
Raise an exception when trying to make a Ability condition with both a hash of conditions and a block - see issue #269.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.5.1...1.6.0].
-
Fixing deeply nested conditions in Active Record adapter - see issue #246.
-
Improving Mongoid support for multiple can and cannot definitions (@stellard) - see issue #239.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.5.0...1.5.1].
-
Added an Ability generator - see issue #170.
-
Added DataMapper support (@natemueller).
-
Added Mongoid support (@bowsersenior).
-
Added skip_load_and_authorize_resource methods to controller class - see issue #164.
-
Added support for uncountable resources in index action - see issue #193.
-
Cleaned up README and added spec/README.
-
Internal: renamed CanDefinition to Rule.
-
Internal: added a model adapter layer for easily supporting more ORMs.
-
Internal: added .rvmrc to auto-switch to 1.8.7 with gemset - see issue #231.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.4.1...1.5.0].
-
Renaming skip_authorization to skip_authorization_check - see issue #169.
-
Adding :through_association option to load_resource (@hunterae) - see issue #171.
-
The :shallow option now works with the :singleton option (@nandalopes) - see issue #187.
-
Play nicely with quick_scopes gem (@ramontayag) - see issue #183.
-
Fix odd behavior when "cache_classes = false" (@mphalliday) - see issue #174.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.4.0...1.4.1].
-
Adding Gemfile; to get specs running just +bundle+ and +rake+ - see issue #163.
-
Stop at 'cannot' definition when there are no conditions - see issue #161.
-
The :through option will now call a method with that name if instance variable doesn't exist - see issue #146.
-
Adding :shallow option to load_resource to bring back old behavior of fetching a child without a parent.
-
Raise AccessDenied error when loading a child and parent resource isn't found.
-
Abilities defined on a module will apply to anything that includes that module - see issue #150 and #152.
-
Abilities can be defined with a string of SQL in addition to a block so accessible_by works with a block - see issue #150.
-
Adding better support for InheritedResource - see issue #23.
-
Loading the collection instance variable (for index action) using accessible_by - see issue #137.
-
Adding action and subject variables to I18n unauthorized message - closes #142.
-
Adding check_authorization and skip_authorization controller class methods to ensure authorization is performed (@justinko) - see issue #135.
-
Setting initial attributes based on ability conditions in new/create actions - see issue #114.
-
Check parent attributes for nested association in index action - see issue #121.
-
Supporting nesting in can? method using hash - see issue #121.
-
Adding I18n support for Access Denied messages (@EppO) - see issue #103.
-
Passing no arguments to +can+ definition will pass action, class, and object to block - see issue #129.
-
Don't pass action to block in +can+ definition when using :+manage+ option - see issue #129.
-
No longer calling block in +can+ definition when checking on class - see issue #116.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.3.4...1.4.0].
-
Don't stop at +cannot+ with hash conditions when checking class (@tamoya) - see issue #131.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.3.3...1.3.4].
-
Switching to Rspec namespace to remove deprecation warning in Rspec 2 - see issue #119.
-
Pluralize nested associations for conditions in accessible_by (@mlooney) - see issue #123.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.3.2...1.3.3].
-
Fixing slice error when passing in custom resource name - see issue #112.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.3.1...1.3.2].
-
Fixing protected sanitize_sql error - see issue #111.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.3.0...1.3.1].
-
Adding :find_by option to load_resource - see issue #19.
-
Adding :singleton option to load_resource - see issue #93.
-
Supporting multiple resources in :through option for polymorphic associations - see issue #73.
-
Supporting Single Table Inheritance for "can" comparisons - see issue #55.
-
Adding :instance_name option to load/authorize_resource - see issue #44.
-
Don't pass nil to "new" to keep MongoMapper happy - see issue #63.
-
Parent resources are now authorized with :read action.
-
Changing :resource option in load/authorize_resource back to :class with ability to pass false.
-
Removing :nested option in favor of :through option with separate load/authorize call.
-
Moving internal logic from ResourceAuthorization to ControllerResource class.
-
Supporting multiple "can" and "cannot" calls with accessible_by (funny-falcon) - see issue #71.
-
Supporting deeply nested aliases - see issue #98.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.2.0...1.3.0].
-
Load nested parent resources on collection actions such as "index" (dohzya).
-
Adding :name option to load_and_authorize_resource if it does not match controller - see issue #65.
-
Fixing issue when using accessible_by with nil can conditions (jrallison) - see issue #66.
-
Pluralize table name for belongs_to associations in can conditions hash (logandk) - see issue #62.
-
Support has_many association or arrays in can conditions hash.
-
Adding joins clause to accessible_by when conditions are across associations.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.1.1...1.2.0].
-
Fixing behavior in Rails 3 by properly initializing ResourceAuthorization.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.1...1.1.1].
-
Supporting arrays, ranges, and nested hashes in ability conditions.
-
Removing "unauthorized!" method in favor of "authorize!" in controllers.
-
Adding action, subject and default_message abilities to AccessDenied exception - see issue #40.
-
Adding caching to current_ability controller method, if you're overriding this be sure to add caching too.
-
Adding "accessible_by" method to Active Record for fetching records matching a specific ability.
-
Adding conditions behavior to Ability#can and fetch with Ability#conditions - see issue #53.
-
Renaming :class option to :resource for load_and_authorize_resource which now supports a symbol for non models - see issue #45.
-
Properly handle Admin::AbilitiesController in params[:controller] - see issue #46.
-
Adding be_able_to RSpec matcher (dchelimsky), requires Ruby 1.8.7 or higher - see issue #54.
-
Support additional arguments to can? which get passed to the block - see issue #48.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.0.2...1.1].
-
Adding clear_aliased_actions to Ability which removes previously defined actions including defaults - see issue #20.
-
Append aliased actions (don't overwrite them) - see issue #20.
-
Adding custom message argument to unauthorized! method (tjwallace) - see issue #18.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.0.1...1.0.2].
-
Adding :class option to load_resource so one can customize which class to use for the model - see issue #17.
-
Don't fetch parent of nested resource if *_id parameter is missing so it works with shallow nested routes - see issue #14.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/1.0.0...1.0.1].
-
Don't set resource instance variable if it has been set already - see issue #13.
-
Allowing :nested option to accept an array for deep nesting.
-
Adding :nested option to load resource method - see issue #10.
-
Pass :only and :except options to before filters for load/authorize resource methods.
-
Adding :collection and :new options to load_resource method so we can specify behavior of additional actions if needed.
-
BACKWARDS INCOMPATIBLE: turning load and authorize resource methods into class methods which set up the before filter so they can accept additional arguments.
-
{see the full list of changes}[https://github.com/CanCanCommunity/cancancan/compare/0.2.1...1.0.0].
-
Many internal refactorings - see issues #11 and #12.
-
Adding "cannot" method to define which abilities cannot be done - see issue #7.
-
Support custom objects (usually symbols) in can definition - see issue #8.
-
See the full list of changes [https://github.com/CanCanCommunity/cancancan/compare/0.2.0...0.2.1].
-
Fix behavior of load_and_authorize_resource for namespaced controllers - see issue #3.
-
Support arrays being passed to "can" to specify multiple actions or classes - see issue #2.
-
Adding "cannot?" method to ability, controller, and view which is inverse of "can?" - see issue #1.
-
BACKWARDS INCOMPATIBLE: use Ability#initialize instead of 'prepare' to set up abilities - see issue #4.
-
See the full list of changes [https://github.com/CanCanCommunity/cancancan/compare/0.1.0...0.2.0].
- Initial release.